But WhatsApp, which is owned by Facebook, disputes that the issues are vulnerabilities and says it has no plans to amend its software.

Claims of security vulnerabilities in WhatsApp tend to draw wide attention because the messaging app is used by 1.5 billion people per month. Unlike Facebook's Messenger product, WhatsApp engenders greater trust because it uses end-to-end encryption to protect transmitted content.

Check Point casts its findings as "disturbing," saying "we believe these vulnerabilities to be of utmost importance and require attention."

But a WhatsApp spokesman tells The New York Times the issues are "the equivalent of altering an email." The app works as intended, and it is possible to manipulate it, WhatsApps acknowledges. But the fix - verifying every message on the platform - would either create enormous privacy risks or hamper its performance.

The New York Times reports that neither company has seen attempts to use the attacks described by Check Point in the wild.

Three Attacks

Check Point published a detailed technical blog post, as well as a video, illustrating what it contends are three possible attacks scenarios.

To get inside of how WhatsApp works, Check Point discovered how to decrypt messages. By decrypting the data, Check Point could then see the parameters that are sent around a message, such as who sent it, timestamps and what type of device it was sent from, among many others.

The researchers also developed an extension called the WhatsApp Decoder for Burp Suite, which allows for quick manipulation of messages.
Check Point's WhatsApp Decoder, a tool for decrypting and then manipulating messages (Source: Check Point)

In one attack, Check Point alters a message sent by a fictitious boss. The boss says the attacker has been granted a $500 raise. The attacker takes the message and creates a second one that changes the raise to $1,500.

But one issue with this scenario is that the original message from the boss about the $500 raise is still visible in the message record, possibly raising suspicions.

An attacker creates a message that appears to indicate the boss has granted a higher raise. (Source: Check Point)

Crafting Fake News

In another scenario, the attacker manipulates a message sent by the administrator of the group. An altered message is then played back to the group, which appears as a quote coming from the administrator.

Check Point says this is an example of how so-called "fake news" could be spread using WhatsApp. It's not a far-fetched scenario because false information circulating on WhatsApp has been identified as possibly fueling violence, most recently in India.

The messaging app was used to spread inaccurate information that individuals in certain communities in India were looking to harvest organs from people and kidnap children, according to The Independent, a U.K. newspaper. The rumors tragically led to five men being lynched in early July.

WhatsApp limits the number of people in a group to 256. And following the violence in India, WhatsApp said in mid-July it would impose a limit on the number of chats that can be forwarded on to five.

Also in July, WhatsApp said it would label forwarded messages in an attempt make it clearer to the recipient whether the message came from a friend or someone else.

Check Point's last attack scenario involves concealing a message from someone who is part of a group. But the response to the hidden message is revealed to all, prompting confusion and possibly inadvertent disclosure of information.

Check Point's illustration of how group messages could be concealed

The company contends that in larger WhatsApp groups where many messages are sent, it is "less likely a member would have the time or inclination to double check every message to verify its authenticity, and could easily be taken in by the information they see."

Check Point contends in a separate blog post: "As already seen by spam emails that fake the sender's name to appear to be from a source the receiver trusts, this latest vulnerability would allow for similar methods to be used though from a totally different attack vector."

A Feasible Attack?

But the key to whether the attack scenarios could actually be used depends on how easy it is for attackers to replicate Check Point's research.

Check Point managed to reverse engineer WhatsApp's encryption algorithm, a feat that could prove difficult for less skilled attackers. Still, if someone manages to do that and release the information publicly, it could make such message manipulations possible.

But WhatsApp told the New York Times that if it detects anyone using a modified version of the app to spoof the service, it would remove them from the platform.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.